VYPR

npm · Malicious package advisory

Malware

eslint-angular-react

MAL-2026-10498

Malicious code in eslint-angular-react (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a9a6248527167bc121cdf2c1a874adbc9d433dbe4be2aed160e8abb3eb2ca63b)
package.json declares a preinstall lifecycle script that runs curl against the hardcoded bare IP http://109.71.252.153:8080/ at npm install time, sending the installer's OS (uname -s), username (whoami), working directory (pwd), and hostname as query-string parameters. The script fires automatically on `npm install` with no user interaction. The package ships only README and package.json — the declared `main: index.js` is absent and no ESLint functionality is provided — so the package's sole effect on the installer is the reconnaissance beacon. The name impersonates the ESLint plugin namespace (eslint-* / Angular / React), consistent with a typosquat/dependency-confusion lure aimed at developers searching for an ESLint plugin.

Compromised versions (1)

  • 110.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.